CVE-2025-58130

Critical

Published: 12 December 2025

Published

12 December 2025

Modified

18 December 2025

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0010 27.9th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Insufficiently Protected Credentials vulnerability in Apache Fineract. This issue affects Apache Fineract: through 1.11.0. The issue is fixed in version 1.12.1. Users are encouraged to upgrade to version 1.13.0, the latest release.

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the CVE by requiring identification, reporting, and timely patching of the insufficiently protected credentials flaw in Apache Fineract versions through 1.11.0.

IA-5 Authenticator Management good match

prevent

Ensures authenticators such as credentials in Apache Fineract are securely managed, protected from unauthorized disclosure, and properly handled to prevent exposure to unauthenticated attackers.

SC-28 Protection of Information at Rest good match

prevent

Implements cryptographic protection for credentials at rest, directly addressing the insufficient protection that allows remote unauthenticated access in vulnerable Fineract versions.

Security SummaryAI

Apache Fineract, an open-source core banking platform, is affected by CVE-2025-58130, an Insufficiently Protected Credentials vulnerability classified under CWE-522. This flaw impacts all versions of Apache Fineract through 1.11.0, where credentials are not adequately safeguarded, potentially exposing sensitive authentication data. The vulnerability carries a CVSS v3.1 base score of 9.1, indicating critical severity due to its high impact on confidentiality and integrity.

Remote attackers require no privileges, authentication, or user interaction to exploit this issue over the network with low complexity. Successful exploitation allows unauthenticated adversaries to access protected credentials, enabling high-level compromise of confidentiality by reading sensitive data and integrity by modifying it, without affecting availability.

Apache advisories confirm the issue is fixed in version 1.12.1, with users strongly encouraged to upgrade to the latest release, 1.13.0, for comprehensive protection. Relevant discussions are available in the Apache mailing list announcement and OSS-Security mailing list post.

Details

CWE(s): CWE-522

Affected Products

apache

fineract

≤ 1.12.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1212 Exploitation for Credential Access Credential Access

Adversaries may exploit software vulnerabilities in an attempt to collect credentials.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing banking platform vulnerability enables initial access (T1190) and specifically facilitates credential collection via software exploitation (T1212) by exposing and allowing modification of insufficiently protected credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://lists.apache.org/thread/d9zpkc86zk265523tfvbr8w7gyr6onoy
Issue Tracking, Vendor Advisory · security@apache.org
http://www.openwall.com/lists/oss-security/2025/12/11/6
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108